Scan your node for virusses and webshells with Yara
ClamAVwith our own signature checker based on yara.
Table of contents
- 1 Introduction
- 2 Scan your files for known web shells and malware manually
- 3 Useful examples:
- 4 Scan your files from cron
Shop owners that want to comply to an ISO certification, are required to periodically check their content for virusses and malware.
Scanning your web content can be done using Yara.
This open source malware signature checker and file scanner is present on all Hypernodes.
Every night a scan will be performed. This scanner is in beta at this moment.
When the scanner hits a possible malware file, it will notify our Abuse department at Byte.
On the first working day after the detection, our customer will receive a e-mail from Byte with details.
The output of the daily scan we perform, is written to
/var/log/mwscan.log. If the scanner hits on a file, please review the file. In most of the cases, the malware has been uploaded by a unsecure downloader folder or Magmi plugin. Try to find how the file has been uploaded. Replace the file with the originating file distributed by the developer or when it is not used, remove the file. If you are not sure about the possible malware, please contact email@example.com for more information.
If you find web shells, malafide files and injected PHP code that are yet not recognised by
mwscan, please report them by filing an issue on the Github repository of this tool containing the files as described in the contribution documentation
Scan your files for known web shells and malware manually
When you run
mwscan /data/web/public, it will recursively scan all files present in the directory.
Yara will first load all definitions found, and then start scanning:
[*] Using Files rules. [*] Loading /usr/lib/python2.7/dist-packages/mwscan/data/all-confirmed.yar [*] Loaded 96 yara rules and 40 whitelist entries
After finishing a scan, Yara will create a report with some information. If all is well, a single line is printed:
[*] Finished scanning 11131 files: 0 malware and 0 whitelisted.
Otherwise if files in your Magento installation match one of the definitions in Yara, the file name will be printed:
mwscan /data/web/public [*] Using Files rules. [*] Loading /usr/lib/python2.7/dist-packages/mwscan/data/all-confirmed.yar [*] Loaded 96 yara rules and 40 whitelist entries public/app/etc/modules/initversion.php: md5_023a80d10d10d911989e115b477e42b5 [*] Finished scanning 9867 files: 1 malware and 0 whitelisted.
A file is recognised by Yara, does not necessarily mean an infected file. You should always check the file by hand to make sure a file is infected or whether this is a false positive or indeed a malafide file.
Always check the output, even when you suspect a false positive!
Scan a single file
Check all files silently and print a report afterwards
mwscan -q /data/web/public
Check all files, not just the ones containing PHP code
mwscan --deep /data/web/public
To view all available options for
mwscan, use the command flag
Scan all files using the most recent (experimental) signatures
To make use of the newest malware signatures, use the
-s byte argument. This will use the newest, still experimental signatures.
These signatures may result in some false positives, but uses the latest malware signatures we included as well.
mwscan -s byte /data/web/public
Scan your files from cron
To scan your files daily from the crontab and send the output to your email address, all you need to do is add the mwscanner to your crontab file:
10 4 * * * flock -n ~/.mwscan.lock mwscan --ruleset byte /data/web/public --quiet | ts | tee -a /data/web/mwscan.log | ifne mail -s "Possible malware found at $(hostname)" -a 'From: Malware Scanner <firstname.lastname@example.org>;' email@example.com